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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 

1 . This communication is responsive to the amendment file on 2/22/2011 . 

2. The allowed claim(s) is/are 8-14,21-25,27 and 28 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 

a) □ All b) □ Some* c) □ None of the: 

1 . □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No. . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 
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EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Joe Mehrle on 4/19/2011. 

The application has been amended as follows: 
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IN THE CLAIMS: 



1-7. (Canceled) 



8. (Currently Amended) A method implemented in a non-transitory computer-readable medium and for 
executing on a proxy server the method for policy and attribute based access to a resource, comprising: 

receiving, at the proxy server, a session request for access to a resource, the session request is sent 
from a service and includes alias identity information for a principal, the alias identity information includes 
a random password and a random principal identification, the alias identity information is randomly 
generated for identity information, the identity information identifies a true identity for the principal; 

mapping, by the proxy server, the alias identity information to the identity information of the principal, the 
identity information associated with the true identity of the principal whereas the alias identity information 
is the random password and the random principal identification and the identity information and the true 
identity of the principal is available to the proxy server but not the service or the resource; 

authenticating, by the proxy server, the identity information; 

acquiring, by the proxy server, a service contract for the principal, the service, and the resource, the 
service contract is derived from an identity configuration for the principal and the identity configuration 
represents aggregated access policies and attributes for the principal with respect to the resource and all 
known services that are available to the principal, each service is an application or system that the 
principal uses to gain access to the resource; 

obtaining from the service contract selective resource access policies and attributes which are permissibly 
used by the service when accessing the resource on behalf of the principal; 

defining, via the service contract, a tripartite relationship among the principal, the service, and the 
resource, the service contract is derived from an identity configuration of the principal, the service 
contract including security strictures for the tripartite relationship including the selective resource access 
policies and the attributes, the access policies define operations that the service can and cannot perform 
on behalf of the principal against the attributes of the resource the attributes define specific data fields 
defined within the resource; an4 

establishing, by the proxy server, a session with the service, the session is controlled by the service 
contract, the service interacts through the proxy server with a Lightweight Directory Access Protocol 
(LDAP) legacy interface for the resource to make access requests for the principal in a format that is 
handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access 
requests, the access requests are in accordance with the service contract ; and 

managing, at the proxy server, the session by acting as an intermediary between the service and the 
legacy LDAP interface which has access privileges to the resource . 



9. (Previously Presented) The method of claim 8 further comprising accessing, by the proxy server, the 
identity configuration for the principal in order to acquire the selective resource access policies and 
attributes included within the service contract. 
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10. (Previously Presented) The method of claim 8 further comprising denying, by the proxy sever, access 
attempts made by the service during the session when the access attempts are not included within the 
service contract. 

1 1 . (Previously Presented) The method of claim 8 further comprising terminating, by the proxy server, the 
session when an event is detected that indicates the service contract is compromised or has expired. 

12. (Previously Presented) The method of claim 8 further comprising establishing, by the proxy sever, the 
service contract with the principal prior to receiving the session request. 

13. (Previously Presented) The method of claim 12 further comprising reusing, by the proxy sever, the 
service contract to establish one or more additional sessions with the service, wherein the one or more 
additional sessions are associated with one or more additional session requests made by the service. 

14. (Original) The method of claim 12 wherein the establishing further includes establishing the service 
contract with the principal in response to a redirection operation performed by a proxy that intercepts a 
browser request issued from the principal to the service for purposes of accessing the resource. 

15-20. (Canceled) 

21 . (Currently Amended) A policy and attribute based resource session manager, residing in a non- 
transitory computer-accessible medium and for executing on a proxy server, comprising instructions for 
establishing a session with a resource, the instructions when executed performing the method of: 

receiving, at the proxy server, alias identity information from a service, the alias identity information is 
associated with a principal, and the alias identity information includes a random password and a random 
principal identification, the alias identity information is randomly generated for principal identity 
information of the principal and the principal identity information identifies a true identity of the principal; 

requesting, by the proxy server, a mapping of the alias identity information to the principal identity 
information, the principal identity information associated with the true identity of the principal whereas the 
alias identity information is the random password and the random principal identification and the principal 
identity information and the true identity of the principal is available to the proxy server but not the service 
or the resource; 

requesting, by the proxy server, authenticating of the identity information; requesting, by the proxy server, 
a service contract for the principal, the service and a resource, the service contract includes selective 
resource access policies and attributes, the service contract is derived from an identity configuration and 
the identity configuration represents aggregated access policies and attributes for the principal with 
respect to the resource and all known services that are available to the principal, each service is an 
application or system that the principal uses for gaining access to the resource; 

defining, via, the service contract a tripartite relationship among the principal, the service, and the 
resource, the service contract including security strictures for the tripartite relationship 

including the selective resource access policies and the attributes, the access policies define operations 
that the service can and cannot perform on behalf of the principal against the attributes of the resource 
the attributes define specific data fields defined within the resource; awd- 

establishing, by the proxy server, a session with the service and the resource, the session is controlled by 
the service contract and the service makes access requests to a Lightweight Directory Access Protocol 
(LDAP) legacy interface of the resource on behalf of the principal, the access requests made in a format 
handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access 
requests; and 
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managing, at the proxy server, the session by acting as an intermediary between the service and the 
legacy LDAP interface which has access privileges to the resource. 



22. (Previously Presented) The policy and attribute based resource session manager of claim 21 having 
instructions further comprising, permitting, at the proxy server, the service to indirectly access an identity 
store which represents the resource, and wherein the identity store includes secure information related to 
the principal. 

23. (Previously Presented) The policy and attribute based resource session manager of claim 21 having 
instructions further comprising terminating, at the proxy server, the session when the service contract 
expires or is compromised. 

24. (Original) The policy and attribute based resource session manager of claim 21 , wherein the 
requesting of the mapping further includes interacting with an alias translator. 

25. (Original) The policy and attribute based resource session manager of claim 21 , wherein the 
requesting of authentication further includes interacting with an identification authenticator. 

26. (Cancelled) 

27. (Currently Amended) The policy and attribute based resource session manager of claim 26 21, 
wherein the receiving further includes intercepting a session request that is issued from the service for the 
legacy LDAP app li cat i on interface , wherein the session request includes the alias identity information. 

28. (Currently Amended) The policy and attribute based resource session manager of claim 27 having 
instructions further comprising managing, at the proxy server, the session with respect to the service as if 
the policy based resource session manager were the legacy LDAP app li cat i on interface . 



29. (Cancelled). 
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Reasons For Allowance 

The following is an examiner's statement of reasons for allowance: The applicant's 
amendments have overcome the rejections presented in the previous office action. An updated 
search revealed U.S. Patent Numbers 7,320,074 and 7,146,635 to Eggebraaten et al. The current 
Examiner's amendment distinguishes from the Eggebraaten references because Eggebraaten 
shows the use of LDAP applications and a tripartite relationship in the same context as claimed 
(col. 6, lines 20-27 and col. 6, lines 46-52) but Eggebraaten does not have a proxy acting as an 
intermediary but instead the LDAP applicaitons discussed in Eggebraaten provide a validation 
that is then used access the resource separately.. 

Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to DOUGLAS B. BLAIR whose telephone number is (571)272- 
3893. The examiner can normally be reached on 9:00am-5:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glen Burgess can be reached on (571) 272-3949. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Douglas B Blair/ 

Primary Examiner, Art Unit 2442 



